[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[Toby Murray]

Hi cap-talk,

In my work on formalising authority, I've found it useful to strengthen
the usual notion of POLA to arrive at a more general definition of what
it means for a system to be 'secure'.

The traditional definition of POLA says that 

"the authority of each object/subject/program/process/user/whatever
should not exceed that needed for it to perform its function(s)."

This is useful but doesn't admit notions such as "separation of duty"
which need to be defined separately (because they appear orthogonal to
the above definition).

It also presumes there is some global administrator that can define the
correct function(s) of each entity in the system.

Instead, I've found that a better definition of what we might desire is

"the authority of each object/subject/... should not exceed that which
we trust it to wield."

In the case where "we" is a global system administrator and all entities
are trusted to perform all of their functions, this collapses to
traditional POLA. But it is also more general than POLA. 

It allows security to be defined separately from multiple points of
view, for each of the stakeholders/actors in a system.

It also naturally admits separation of duty:

We might have an accounting package whose functions include writing and
approving purchase orders, for example. A running instance of that
package might be trusted to perform the former but not the latter (and
vice versa) in order to prevent it from approving its own purchase
orders. 

I've found this definition to be a useful generalisation of POLA. For
example, under this definition excess authority is then defined as any
authority that a subject is not trusted to have (rather than any
authority that a subject doesn't require to perform its function(s)). 

I'd be curious to get the feelings of others on this list as to its
utility.

Cheers

Toby